Originally posted by Hagathaone: I've hit a brick wall already...here's whatI have done:

1. Secure Password-already had one, it turns out.

By the way, I do not understand the term "key" as in Navigate to and delete the keys".

Change your password, You've been compromised."KEY"

That refers to the "registry" key. It's located in the Registry editor (well, it's the fastest way to find it.

Take a look here:

after you locate "Microsoft" again click on the + to the left and scroll down until you see "Windows" click on the + to the left and scroll down until you locate see "current version" click on the left and scroll down until you locate run and click on the left until you see "run". Double Click on "run" , now look at the window on the right. See anything?

Follow part "D >" below. (If you double click on the files here you will see the values) delete only the "values" listed here. Do not delete the folders on the left, only the values on the right.

Then use the same "navigation proceedure" to locate the "Key" in step "h" but now if you find that "key" located on the left side of the window (it will look like a folder)delete it entirely.

it will be in the left side of the registry window. There are two you must delete ...these are the registries for the worms themselves! They are the worm's Hooks.One is called "soundman" the other is "svc"

Therefore these computer sentences need to go:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SoundMan

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svc32

understand?

A> Click Start, and then click Run. (The Run dialog box appears.)

B> Type regedit

Then click OK. (The Registry Editor opens.)

C> Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

D> In the right pane, delete any of the following values:

"^`d}qZxu" = "~`d}qzxu3zYF"

"Configuration Loader"="confgldr.exe"

"Video Process"="sysconf.exe"

"Service Host Process"="spoolsvc.exe"

"svchost"="winhelp.exe"

"csrs"="csrs.exe"

E> Do one of the following: If you are using Windows NT/2000/XP, skip to step h. If you are using Windows 95/98/Me, go on to step f.

Inferno, you are a wiz!!! I hope the manual process you outlined works for hagatha since the cleanup tool didn't.

Jenny100, thanks for posting the link to Gibson's site. I've known about GRC for years and periodically go there and run the port scan to make sure something either I do or a patch or an install does hasn't changed my "all ports stealthed" to something less secure.

I suggest that everyone also go to GRC's homepage, follow the links, and read, read, read!

1. I have edited and saved the Hosts file at least 100 times (no exaggeration). Doesn't matter. As I found out yesterday when I started using Safe Mode, the next time I start my computer, be it in Safe or Normal Mode, the virus files are back in the Hosts file. Always. 100%of the time. They aren't going anywhere.

2. There are no virus files in the Registry. I have double and triple checked, and those files don't appear. There is nothing in any of those registry Keys that has an = in it at all. Nor are the keys I am to delete present. Now I don't know if there is something that is not displayed, but I can't see any of those files or keys.

3. When I restart my computer in Normal Mode, my Norton still won't start. Not just the live Update, but Norton Antivirus itself. Nothing happens when I click on it. But that wouoldn't matter, because as soon as I have restarted my computer, all the virus files are back in the Hosts file. This happens without fail - Safe or Normal mode.

Also, in the instructions last night I was to Open the SYstem configuration Utility and restart in SAFEBOOT and THEN run Norton. But as I noted, there is no Safeboot and the Diagnostic Mode option I have is not at all the same as Safe Mode- it looks totally different. Am I supposed to do this step now? I can't tell.

So, I must have missed something or a step somehwere, or this just is not working.

I have not installed any patches at all. When I tried to get the MS03-26 and MS03-007 patches from the Security site, the page never loaded.

My last-ditch attampt was to edit the Hosts file and registry in Safe, and then run that virus removal program I downloaded. It indicated no virus on my computer.

Then I restarted in Normal, and the Hosts file was full again. So manually removing the files apparently is not the solution. The virus seems to be residing somewhere else on my system and is reactivated when the computer starts.

Even with the Hosts file edited and saved, and all non-essential programs turned off, and the antivirus program indicating no virus, running in Normal Mode, I cannot uninstall or run Norton Antivirus (I could, however, uninstall anything else if I wanted to).

Don't know if anyone else has had this happen, but it seems I am not going to get rid of this without a complete re-install.

YOu need to uninstall or delete Norton and then reinstall it, while in Normal mode.

Remember that "Host file I had you download? you could try that.

In Selective Startup or Safe Mode (remember that they are one and the same)Instead of deleting all the files one at a time ... just delete the whole Host files ...replace it with the "new host file" on that floppy I had you download last night. Just use Windows Explorer and copy the unzipped new Host file into the directory which originally housed your bad file. Delete the registry values and keys once again like before. Go to your desktop and delete the contents of the recycle bin Use Windows explorer and delete all Norton files (you have nothing to lose now as Norton has been diabled anyway)

Go to regedit once again and choose Nornal Startup. Close out of all open programs and SHUT OFF your system.

Turn on your system .... Install Norton and try running live update. If this is successful then run a full system scan. Delete any files that it finds regarding the worm.

See if this works ... This happened to me last year with the Wehlacia Worm. I wound up removing it from my system but I had damaged my registry because I deleted the wrong file. I wound up having to reinstall Windows XP. I lost all my dataI really and empathize with what your going through. MArita can tell you just how upset I was.

I have now deleted the Hosts file in Safe Mode and unzipped the downloaded file into that folder.

However, I still cannot findanything in the Registry that conforms tothe values you've indicated. I never have!

There is one value in Current Version/Run that is close:

scvhost=svchost.exe, but that is not the same as the one in the list.

Should I delete this??????? I don't dare try anything else until I know because if it's wrong I'm hooped. I will have to leave my computer on and in Safe Mode because once I go back into Normal, if the virus is till there I will have to download the file again and this computer I'm on right now is a royal pain; dial-up connection, and a space bar that does not work.

I do not think I keep getting re-infected because I have had my internet connection unplugged for most of the last week. The virus is lurkingsomewhere but my registry doesn't have those values or the keys.

That TrendMicro scan I downloaded on Saturday,which I have run about 50 times, all of a sudden found Nachi.b TODAY. It's never done that before, and NACHI.B was was supposedly removed by the on-line scan I used last Saturday. I haven't seen it since then.

As I say, my registry does not contain the keys and values for AGOBOT, although the TrendMicro scan has dound it several times in the past (but is not finding it right now). That same scan has in the past found Sasser a few times, but it does not find it right now.

But with my computer not linked to the Internet I don't know how I could have been reinfected with NACHI.B. I just don't understand it.

Is this your only computer? Would it be possiblefor you to attach this drive as a slave (or 2ndmaster on the other IDE chain) of another computer?

The only reason I suggest this is because you seemto be so deeply mired in difficuties here that youmight be better off to scan the drive for a virus,worm, etc. from a working system. In that way youcan isolate, remove, repair, etc. from that system. You could also simply copy all your important data, files, favorites, etc. to the maindrive and reinstall XP (I assume) on your drive.

Hi there. In the end that is likely what will happen with my system but it won't be me who's doing it. I know someone who is a genius with this sort of thing and I guess I'll have to let him work it out for me. Thanks to everyone who tried to help. I know a heck of a lot more about computers now than I did before, that's for sure.

On the very much brighter side, I did go out and buy a second computer just for games and not to connect to the Internet. I dropped a fair bit of cash on it, and bought a 19" screen, and my word, does that thing fly! I can hardly wait to see how Morrowind and its expansions performs on it. My old system can be for older games - I think I'll put Win 98 back on or maybe have both 98 and XP on it. Since I still play a lot of BG/IWD and things like Thief and Deus Ex, that would be worthwhile for a few more years, anyway.

And anyway, a girl can't have too many shoes, handbags or computers, I always say. And my partner can't complain about my profligate spending because he has three computers himself(not as many shoes or handbags, though).